wan26-text-to-image Security Report — Trusted | ClawSafe

5 /100

wan26-text-to-image

使用阿里云万相 2.6 模型生成微信公众号封面图和技术架构设计图

Legitimate Alibaba Cloud Wanxiang 2.6 image generation skill with no malicious indicators. All declared capabilities (network API calls, local file writes, .env loading) match implementation. Shell access is user-initiated setup only.

Skill Namewan26-text-to-image

Duration47.0s

Enginepi

✓

Safe to install

Skill is safe to use. Consider pinning exact dependency versions in requirements.txt for reproducible builds.

Findings 2 items

Severity	Finding	Location
Low	Loose version pinning in requirements.txt requirements.txt uses 'dashscope>=1.25.8' instead of an exact version. This can lead to unexpected behavior if a breaking update is released. `dashscope>=1.25.8` → Pin exact version: dashscope==1.25.8 (or latest verified stable)	`requirements.txt:1`
Info	Multiple .env loading paths Skill loads .env from 4 locations (OPENCLAW_ENV_FILE, skill dir, ~/.openclaw/.env, ~/.workbuddy/.env). This is documented behavior matching OpenClaw conventions, but could theoretically load a rogue .env file. `candidates.append(os.path.join(skill_dir, ".env"))` → Ensure only trusted .env files are present in these directories	`wan26_generator.py:301`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	wan26_generator.py:58-63 - API calls to Alibaba Cloud domains (dashscope.aliyunc…
Filesystem	`WRITE`	`WRITE`	✓ Aligned	wan26_generator.py:417-426 - saves images to ~/WorkBuddy/<skill-name>/
Filesystem	`READ`	`READ`	✓ Aligned	wan26_generator.py:301-328 - reads .env from multiple paths (documented behavior…
Shell	`WRITE`	`WRITE`	✓ Aligned	setup.sh:44-56 - user-initiated API key setup only, not called automatically
Environment	`READ`	`READ`	✓ Aligned	wan26_generator.py:40-43 - reads DASHSCOPE_API_KEY from environment

5 findings

🔗

Medium External URL 外部 URL

https://help.aliyun.com/zh/model-studio/get-api-key

SKILL.md:96

🔗

Medium External URL 外部 URL

https://help.aliyun.com/zh/model-studio/wan-image-generation-api-reference

SKILL.md:136

🔗

Medium External URL 外部 URL

https://dashscope.aliyuncs.com/api/v1

config.py:133

🔗

Medium External URL 外部 URL

https://dashscope-intl.aliyuncs.com/api/v1

wan26_generator.py:62

🔗

Medium External URL 外部 URL

https://dashscope-us.aliyuncs.com/api/v1

wan26_generator.py:63

File Tree

5 files · 31.3 KB · 895 lines

Python 2f · 688L Markdown 1f · 136L Shell 1f · 69L Text 1f · 2L

├─ 🐍 config.py Python 148L · 4.7 KB

├─ 📄 requirements.txt Text 2L · 27 B

├─ 🔧 setup.sh Shell 69L · 1.9 KB

├─ 📝 SKILL.md Markdown 136L · 4.4 KB

└─ 🐍 wan26_generator.py Python 540L · 20.2 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`dashscope`	`>=1.25.8`	pip	No	Version not pinned
`requests`	`*`	pip	No	Version not pinned, standard library fallback

Security Positives

✓ No subprocess/shell execution in main generator code

✓ No base64, eval(), or dynamic code execution

✓ No credential exfiltration or external data transmission

✓ API key not echoed to terminal output

✓ .env files properly gitignored

✓ File permissions set to 0o600 for sensitive files

✓ Clean separation: shell access only for user-initiated setup, not automated execution

✓ Uses official Alibaba Cloud SDK (dashscope) with documented API endpoints

✓ All network requests go to legitimate Alibaba Cloud domains

Scan Report

Findings 2 items

File Tree

Dependencies 2 items

Security Positives